Program Equivalence in Linear Contexts 



Yuxin Deng 1,2 and Yu Zhang 2 

Department of Computer Science and Engineering, Shanghai Jiao Tong University, China 
2 State Key Laboratory of Computer Science, 
Institute of Software, Chinese Academy of Sciences, Beijing, China 



Abstract. Program equivalence in linear contexts, where programs are used or 
executed exactly once, is an important issue in programming languages. However, 
existing techniques like those based on bisimulations and logical relations only 
target at contextual equivalence in the usual (non-linear) functional languages, 
and fail in capturing non-trivial equivalent programs in linear contexts, particu- 
larly when non-determinism is present. 

We propose the notion of linear contextual equivalence to formally characterize 
such program equivalence, as well as a novel and general approach to studying 
it in higher-order languages, based on labeled transition systems specifically de- 
signed for functional languages. We show that linear contextual equivalence in- 
deed coincides with trace equivalence. We illustrate our technique in both deter- 
ministic (a linear version of PCF) and non-deterministic (linear PCF in Moggi's 
framework) functional languages. 



1 Introduction 

Contextual equivalence is an important concept in programming languages and can be 
used to formalize and reason about many interesting properties of computing systems. 
For functional languages, there are many techniques that can help to prove contextual 
equivalence. Among others, applicative bisimulations [1, 14] and logical relations [25, 
28] are particularly successful. 

On the other side, linear logic (and its term correspondence often known as linear A- 
calculus) has seen significant applications in computer science ever since its birth, due 
to its native mechanism of describing restricted use of resources. For example, the linear 
A-calculus provides the core of a functional programming language with an expressive 
type system, in which statements like "this resource will be used exactly once" can be 
formally expressed and checked. Such properties become useful when introducing im- 
perative concepts into functional programming [13], structural complexity theory [12], 
or analyzing memory allocation [30]. Moreover, linear A-calculus, when equipped with 
dependent types, can serve as a representation language within a logical framework, a 
general meta-language for the formalization of deductive systems [6]. 

Introducing linearity also leads to novel observation over program equivalences. In 
particular, if we consider a special sort of contexts where candidate programs must be 
used linearly (we call these contexts linear contexts), program equivalence with respect 
to these contexts should be a coarser relation than the usual notion of contextual equiva- 
lence, especially when non-determinism is present. For instance, take Moggi's language 



for non-determinism [19], where we have a primitive n for non-deterministic choice 
(same as the internal choice in CSP [11]), and consider the following two functions: 

fx d = val(Aa;.val(0) n val(l)), f 2 d = val(Aa; . val(O)) n val(Ax . val(l)). 

Existing techniques such as bisimulation or logical relations distinguish these two func- 
tions. In fact, it is easy to show that they are not equivalent in arbitrary contexts, by 
considering, e.g., the context 

bind / = [_] in bind x = /(0) in bind y = /(0) in val(x = y). 

The context makes a double evaluation of the function by applying it to concrete ar- 
guments (noticing that Moggi's language enforces a call-by-value evaluation of non- 
deterministic computations): with the first function fx, the two evaluation of /(0) can 
return different values since the non-deterministic choice is inside the function body; 
with the second function fi, the non-deterministic choice is made before both evalu- 
ations of /(0) and computation inside the function is deterministic, so the two eval- 
uations always return the same value. But if we consider only linear contexts, where 
programs will be evaluated exactly once, then the two functions must be equivalent. 
However, no existing technique, at least to the best of our knowledge, can characterize 
such an equivalence relation with respect to linear contexts. 

1.1 Related work 

The motivation of the work first comes from the second author's work on building a 
logic (namely CSLR) for reasoning about computational indistinguishability , which is 
an essential concept in complexity-theoretic cryptography and helps to define many 
important security criteria [32,8]. The CSLR logic is based on a functional langage 
which characterizes probabilistic polynomial-time computations by typing, where lin- 
earity plays an important role. A rule that can identify program equivalence in linear 
contexts 3 can help to simplify many proofs, e.g., the IND-CPA proof of the El-Gamal 
encryption, which is currently in the form of so-called game -based proofs [20]. Al- 
though the language of the CSLR logic is probabilistic, a general proof technique of 
linear contextual equivalence is missing from the literature, particularly in the setting 
of purely non-determinism where there exist programs that are equivalent in linear con- 
texts but not in general, as we described previously. 

Program equivalence with respect to non-linear contexts has been widely investi- 
gated. Logical relations are one of the powerful tools for proving contextual equivalence 
in typed lambda-calculi, in both operational [22,23,5] and denotational settings [25, 
18, 10]. They are defined by induction on types, hence are relatively easy to use. But 
it is known that completeness of (strict) logical relations are often hard to achieve, es- 
pecially for higher-order types. It is even worse for monadic types, particularly when 
non-determinism is present [17]. 

3 More precisely, in the setting of cryptography we consider adversaries that can call a proce- 
dure for polynomial number of times. It has been proved, with certain constraints, that such 
adversaries cannot achieve more than those who call the program only once, which can be seen 
as a linear context in CSLR. 



Characterization in terms of simulation relation has been studied in functional lan- 
guages [14,9,21, 16], as well as languages with linear type systems [4]. Due to the 
higher-order features of the languages, it is difficult to directly prove the precongru- 
ence property of similarity. A common feature crucial to this line of research is then 
to follow Howe's approach [14], which requires to first define a precongruence candi- 
date, a precongruence relation by construction, and then to show the coincidence of that 
relation with simulation. An alternative approach, such as environmental bisimulation 
proposed in [27], has a built-in congruence property, but then the definition itself has 
very complex conditions. 

1.2 Contribution 

In this paper we consider contextual equivalence with respect to linear contexts only. 
Our approach is developed in a linear version of PCF and we propose a formal defi- 
nition of the so-called linear contextual equivalence, which characterizes the notion of 
program equivalence when they are used only once. We give a sound and complete char- 
acterization of the linear contextual equivalence in terms of trace equivalence, based on 
appropriate labeled transition semantics for terms. In order to show the congruence 
property of trace equivalence, we exploit the internal structure of linear contexts, in- 
stead of relying on Howe's approach. 

While term transitions are a relatively standard concept, the notion of context tran- 
sitions that we have introduced in the development is novel. It models the interactions 
between programs and contexts and may have potential use in game semantics [2, 15]. 
We also notice that such context transitions (along with program transitions) conforms 
to the idea of rely-guarantee reasoning, which has been successfully applied in the ver- 
ification of concurrent programs [31,29,7], and may suggest an alternative approach. 

Although the entire development is based on an operational treatment, the technique 
is general enough to be adapted in other languages with linear type systems. Indeed, we 
show that our approach can be applied in a non-deterministic extension of the linear 
PCF based on Moggi's framework with monadic types, where trace equivalence also 
serves as a sound and complete characterization of linear contextual equivalence. The 
result particularly helps us to prove the equivalence of the two functions in the previous 
example, as we can show that they are trace equivalent. 

One can probably employ Howe's approach when proving linear contextual equiva- 
lence in a deterministic language. While Howe's approach applies to a wider variety of 
occasions, it is more involved; our approach is much simpler because we take advantage 
of linearity in resource usage. Furthermore, in non-deterministic languages, simulation 
based techniques fail to characterize linear contextual equivalence. 

1.3 Outline 

The rest of the paper is organized as follows: Section 2 defines briefly a linear version of 
call-by-name PCF with a dual type system, as well as its operational semantics. In par- 
ticular, a labeled transition system for the language is presented and the notion of trace 
equivalence is defined. In Section 3 we introduce the notion of linear contextual equiv- 
alence and show that trace equivalence in linear PCF coincides with linear contextual 



equivalence. Section 4 extends our approach in a non-deterministic circumstance with 
monadic types, where technical development follows the previous two sections, and we 
establish the coincidence between trace equivalence and linear contextual equivalence. 
With this result, we show that the two functions in the previous example are indeed 
equivalent in linear contexts. Section 5 concludes the paper. 



2 The call-by-name linear PCF 



We start with a linear version of PCF (LPCF for short) with a call-by-name evaluation 
strategy. Types are given by the following grammar: 

r, t', ...::= Nat | Bool | r & r' | r ® r' | r -o r' | r ->• r' 

Here r & r' and r ® r' are usual product and tensor product respectively. Linear func- 
tions will be given types in the form r — ° t' . Following [26], we choose to make in- 
tuitionistic function types r —> r' primitive rather than introducing exponential types. 
The choice makes our technical development simpler but does not affect the heart of 
the approach — one can certainly express non-linear function types in terms of !-types, 
using Girard's decompositon: r — > r' = It — o t', and adapt our technique accordingly. 

Terms are built up from constants (boolean and integer values plus integer opera- 
tions and fix-point recursion) and variables, using the following constructs. 



e,e , . 



x 

| 1 | 2 | . . . 

succ I pred | iszero 

Xx . e | ee' 

true | false 

if ei then e2 else e% 

(ei,e 2 ) | proj^e) 

f ix T 

ei ® e2 | let x ®y = t 



Variables 
Integers 

Integer operations 

Abstractions and applications 

Booleans 

Conditionals 

Products and projections 

Fix-point recursions 

Tensor products and projections 



Most of the language constructs are standard: the A-abstraction Xx.e defines a func- 
tion, whose linearity will be judged by the type system, and the application e e' applies 
the function e to the argument e'; the conditional if e\ then e2 else e$ evaluates like 
e2 or e3, according to whether the boolean term e\ evaluates to true or false; (ei, e^), 
proj x e and proj 2 e are normal products and corresponding projections; the term f ix r e 
represents the least fix-point of the function e. The tensor product and tensor projection 
are related to linearity — the constructs actually force that no single component of a 
product can be discarded while the other is preserved. Tensor products are also useful 
for currying linear functions. 

Variables appearing in the A-binder and the let-binder (in tensor projections) are 
bound variables of LPCF programs. We write FV(e), FLV(e), FNV(e) for the sets of, 
respectively, free variables, free linear variables, and free non-linear variables in term e. 
We will not distinguish a-equivalent terms, which are terms syntactically identical up 
to renaming of bound variables. If e and e! are terms and x is a variable, then e[e'/x] 



denotes the term resulting from substituting e' for all free occurrences of x in e. More 
generally, given a list e\, e n of terms and a list xi, x n of distinct variables, we 
write e[ei/xi, e„/x n ] for the result of simultaneously substituting each term for 
free occurrences in e of the corresponding variable x^. 

A typing assertion takes the form f ;4 h e : t, where J 1 and zi are finite partial 
functions from variables to types, e is a term, and r is a type. We adopt the notation 
from dual intuitionistic linear logic [3] by using _T and A to represent typing environ- 
ments for, respectively, non-linear variables and linear variables. It is assumed that the 
codomains of the non-linear and linear typing environments are disjoint. The type as- 
signment relation for the linear PCF consists of all typing assertions that can be derived 
from the axioms and rules in Figure 1, which are very standard. The notation r,x : r 
denotes the partial function which properly extends r by mapping x to r, so it is im- 
plicitly assumed that x is not in the domain of r. We write Vrog{f) = {e | 0; h e : r} 
for the set of all closed programs of type r. 



x-.rer x-.r^r i e {0,1,2,...} 

f;ihi:r F;x:t^x:t T; h f ix r : (t ^ r) ^ r _T; h i : Nat 



r- h succ : Nat -o Nat F; h pred : Nat -o Nat _T; h iszero : Nat —o Bool 
b 6 {true, false} F; A h ei : Bool F; Zi' h e 2 : r T; zi' h e 3 : r 

-T; h 6 : Bool T; Zi, Zi' h if ei then e 2 else e 3 : r 

r ; A h ei :ri (i = 1,2) r ; A h e : n &t 2 

r-,A\-{ei,e 2 ) :ri&r 2 A h proj^e) : n (« = 1,2) 

r ; A he* : n (i = 1,2) r ; Zi, as : Ti, y : r 2 h e : r r ; 4' he' : n »r 2 



T; Z\i , Z\ 2 h ei ® e 2 : n ® r 2 Zi, Zi' h let x®y = e' ine:r 

Rx : t-A h e : r F; Zi h e : r' -> r T; h e' : r' 



F;Zi h Az.e : r -> r' T;Zih-ee':r' 
r;Z\,i:rhe:r' A h e : r -o r T; Zi' h e' : r' 



T;Zi h Ax.e : r ^> r' T; Zi, Zi' h e e' : r' 



Fig. 1. LPCF typing rules 



2.1 The operational semantics 

We first define the notion of values of LPCF. 

u, v' , . . . ::= succ | pred | iszero | true | false | | 1 | 2 | . . . 

I f ix r I (e, e') I e ® e' I Ax . e 



These are also canonical forms of LPCF terms. 

The one-step reduction between terms is inductively defined by the axioms 

(Ax.e)e' ~> e[e'/x] 
fix T e ~> e(fix r e) 

succ n n + 1, where n G {0, 1,2,.. .} 
predO 

predn ~* n — 1, where n 6 {1, 2, . . .} 
iszeroO ~> true 

iszero?i ~» false, where n € {1,2,...} 

if true then ei else e2 ~> e± 

if false then ei else e2 ~> e 2 

proj^e^ea) ~> e i; (i = 1,2) 

let a; <g) y = ei <g> e 2 in e e[ei/a;, ea/y] 

together with the structural rule 

d ~» e2 
£[ei] ~> £[e 2 ] 

where £ is the evaluation context generated by the grammar 

£ ::= [] | succ(f) | pred(£) | iszero(£) | £e | if £ then e\ else e 2 
| proj^f) | let x ® y — £ in e 

We often call a term f [x] an evaluation context, if x is the only free variable of the term. 

The operational semantics that we define for LPCF is essentially a call-by-name 
evaluation. Although our later development depends on the operational semantics, it 
does not really matter whether the evaluation strategy is call-by-name or call-by-value 
— one can easily adapt our approach to a call-by-value semantics. The only crucial 
point is that we should not allow the following forms of evaluation contexts: 

{£, e), (e, £ }, if e then £ else e , if e then e else £. 

This is because these contexts adopt syntactically duplicated linear variables without 
breaking linearity restriction, hence if we substitute a reducible term for such a vari- 
able, which makes multiple copies of the term in the context, then one of them may be 
reduced while all other copies remain unchanged. We shall see how this fact affects our 
approach in more detail. Indeed, such restriction over evaluation contexts conforms to 
the semantics of linearity — as long as a program is allowed to be "used" only once, 
it should not be reduced for multiple times, hence we can safely adopt such evaluation 
restriction in languages with linear types. 

It is clear that LPCF terms in canonical form do not reduce. The following proposi- 
tion also shows that every closed non-reducible term must be in the canonical form. We 
write e -/> when there does not exist a term e' such that e ~* e', and ~>* denotes the 
reflexive transitive closure of 



Proposition 1. If e is a closed term and e r /», then e must be in the canonical form. 



Proof. We prove by induction on the structure of e. Below is the analysis for non- 
canonical forms: 

- e = if e! then e\ else e^- Here e' must be closed and not reducible (otherwise 
the whole term can be reduced since if [] then e\ else e2 is an evaluation 
context). By induction e' must be canonical, i.e., either true or false, but in both 
cases, the original term can be reduced. 

- e = proj^e'). Here e' must be closed and not reducible (since projj] is an 
evaluation context), and by induction, must be the canonical form (ei, e^), which 
makes the original term reducible. 

- e = let x ® y = e' in e". Here e' must be closed and not reducible, and by induc- 
tion, must be the canonical form ei ® e2, which makes the original term reducible. 

- e = e'e". Here e' must be closed and not reducible, and by induction, must be 
canonical: if e' is an abstraction or a fix-point, then the whole term can be reduced; 
if e! G {succ, pred, iszero}, then e" must be canonical, which will be an integer, 
hence the whole term can be reduced too. □ 

Evaluation in LPCF is deterministic and preserves typing. 

Lemma 1. For every well-typed term e, if e ~> e', then FLV(e') = FLV(e). 

Proof. By rule induction on the derivation of e ^ e'. □ 

Proposition 2 (Subject reduction). IfT; A\- e : r and e ~» e', then F\ A V- e 1 : r. 

Proof. A routine exercise. □ 

Proposition 3 (Determinacy). 

Life v t^> and e v' ^ then v = v'. 

2. Every well-typed term either converges or all of its reduction do not terminate. 

Proof. It suffices to prove that the evaluation is deterministic, that is, there is at most 
one reduction rule that applies in any situation. This can be proved by induction on the 
structure of terms. □ 

Because the reduction is deterministic in LPCF, for any closed term e, we say e 
converges and write e JJ. if it reduces to a value. Conversely, we say e diverges if the 
reduction of e does not terminate and we write e f|\ We also define a specific class of 

terms fi T d = f ix T (A.T . x), to represent non-terminating programs. 



2.2 A labeled transition system for LPCF 

In [9], Gordon defines explicitly a labeled transition system in order to illustrate the 
applicative bisimulation technique in PCF. We follow this idea to define a labeled tran- 
sition system for LPCF, upon which we can define the notions of traces and trace equiv- 
alence and develop our framework. 

Transition rules are listed in Figure 2: we make the typing of terms explicit in the 
rules as the type system plays an important role in LPCF. 



c £ {true, false, 0, 1,2,.. .} 

_T; Z\ h Xx . e : r 0; h e : r t = r — o r' or r — >■ t" 

Xx . e Ce > e[e /x] 
r;A\- (ei,e a ) : ti&t 2 



T; Zi h ei ® e2 : n ® T2 0; x : ri , y : T2 h e : r 
ei ® e2 e[ei/x, ea/y] 

// II a I 

e ~> e e — > e 
e — 5- e 

Fig. 2. Labeled transition system for LPCF 



The last rule in Figure 2 says that term reductions are considered as internal tran- 
sitions — external transitions are labeled by actions. Note that in the sequel, we shall 
write e e! for a single external transition without preceding internal transitions, and 
make internal transitions explicit when e ~» • • ■ e'. 

Intuitively, external transitions represent the way terms interact with environments 
(or contexts). For instance, a A-abstraction can "consume" (application of itself to) a 
term, which is supplied by the environment as an argument, and forms a /^-reduction. 
The first rule says that, what an integer or boolean constant can provide to the environ- 
ment is the value of itself, and after that it can no more provide any information, hence 
no external transitions can occur any more. We represent this by a transition, labeled by 
the value of the constant, into a non-terminating program Q of appropriate type. 

It should be noticed that transitions are defined in general for LPCF terms, including 
open terms, but they never introduce new free variables. This is particularly true for @- 
and <g>-transitions according to their typing premises. 

Let s be a finite sequence of actions 0:10:2 . . .a n (n > 1). We write e -^-> if there 
exist terms e\, e2, . . . , e n such that e ^>*-— 1 -> e\ ^*-— A e2 . . . — > e„ (the 
entire sequence including term reductions is called the full sequence of s). An action 
sequence s is a trace of e if e —t, and we write Tr{e) for the set of all traces of e, 

i.e., 7r(e) = f {s | e —*}. We also write a ■ s and s± ■ S2 for the traces obtained by, 
respectively, prefixing trace s with an action a and concatenating si and S2- 

Given two traces s% and S2, we say si is a subtrace of S2 if s% is a prefix of S2 when 
they are viewed as strings. A trace of a LPCF term e is maximal if it is not a subtrace 
of any other trace of Trie). A computational trace is a maximal trace of the form s ■ c, 
where c is a boolean or integer constant. In other words, a computational trace ends 
with some observable value, while a non-computational trace may end with an action 
in the forms @e, proj i; ®eorT. 



The empty trace, denoted by e, can be taken by any program. Meanwhile, if e is the 
only trace that a term can take, which means the term cannot take any external action, 
then the term must diverge, i.e, 7r(e) = {e} iff e ^. 

We define the trace preorder C T between terms: e\ \— T e 2 iff Tr(ei) C Tr(e 2 ). 
Two terms e\ and e 2 are trace equivalent, written e\ ~ T e 2 , iff e\ C T e 2 and e2 C T ei. 

Lemma 2. 7. IfTr{e\) = l~r(e 2 ) 7^ {e}, f/ien ei, e 2 must have the same type. 

2. Let e\ , e 2 be two terms of the same type. For any trace s, if e\ e\ and e 2 — > e' 2 , 
then e[ and e' 2 also have the same type. 

3. If e', then e! C T e. 

Proof. The first statement can be proved by contradiction; the second one is proved by 
induction on the length of s; the third one is a direct consequence of the definition of 
trace preorder. □ 



3 Linear contextual equivalence 

Defining a context in a language with linear types must be treated carefully, since holes 
can hide bound variables and consequently breaks the typing if the variable is linear [4]. 
We choose to replace the context hole by an explicit free variable and restrict attention 
to equivalence between closed terms, so as to avoid extra syntactic machinery. 

Intuitively, a linear context is a context where programs under examination will be 
evaluated and used exactly once 4 . In a linear functional language, we can formalize it 
by a restricted notion of contexts: a linear context C X:T in LPCF is a term with a single 
linear variable x and no non-linear variables, i.e., 0; a; : r h C x - T : a. We often omit the 
variable and type subscription when it is clear from the texts or irrelevant. 

Definition 1 (Linear contextual equivalence). We write ei C c e 2 fore\,e 2 G Vrog{r), 
ifC[ei/x] JJ. implies C[e 2 /x] JJ- for all linear context C X:T . The relation E- C is called the 
linear contextual preorder between closed programs. Linear contextual equivalence ~ c 
is defined as the symmetrization of^— C : e\ e 2 iff e\ C!p e 2 and e 2 e\. 

In [5], the definition of ground contextual equivalence (Definition 2.1) says that 
contexts must be of exponential types, because they are necessary for a program to adopt 
recursions in their type system. In LPCF non-linear function types are primitive, with no 
exponential types, and the type for fix-point operator indicates that recursions must be 
taken within non-linear functions. Hence, the above definition admits the requirement 
of the definition of ground contextual equivalence in [5]. 

Lemma 3. Let Ci,C 2 be two linear contexts such that 0; x : r h C\ : a and 0; y : a h 
C 2 : a', then C 2 [Ci/y] is also a linear context. 

Proof. It can be shown that 0; x : r h C 2 [Ci/y] : a'. □ 



It is more general to consider affine contexts where programs are executed at most once, but in 
the current paper we refrain from going that far and leave it as future work. 



3.1 Linear context transitions 



Corresponding to the transition system for terms, we also define transitions for linear 
contexts, which only occur in evaluation contexts: 



C[if x then e\ else e2/y] o true > C[e\/y] 

C[if x then ei else e.ijy\ o lalse > Cfa/y] 

C[pred(x)/y] C[n'/y] (n = n' + l or n = ri = 0) 

C[succ(x)/y] o-^> C[n'/y] (n' = n + 1) 
C[iszero(a;)/2/] o^h- C[true/y] (if n = 0) 
C[iszero(iL')/?/] o-^> C[f alse/y] (if n ^ 0) 

C[proj 4 (a;)/y] C y (i = 1,2) 

C[xe/y] o— ^> C y 
C[let zi Cg) Z2 = a; in e/y] C a 

Linear context transitions represent the way a context interact with programs under 
testing. A linear context transition often eliminates the free variable in the context or 
transforms it into another variable of a different type (in which case we often use a 
variable with a different name for the sake of clarity), which indicates that a reduction 
can occur involving both the candidate program and (a subterm of) the context. 

Linear context transitions do not necessarily transform a linear context into another 
linear context — linear contexts can also be transformed into closed terms, which do not 
contain any free variables. This particularly happens when the program under testing is 
a boolean or integer constant, which, after transition, cannot provide any information to 
the context. 

Notice that linear contexts themselves are LPCF terms, so they can also take normal 
transitions as defined in Figure 2. We have used explicitly distinguished notations for 
the two kinds of transitions. 

Lemma 4 (Transition lemma). Fro every linear context C X:T and LPCF program e £ 
Vroy(r) such that C[e/x] a transition from C[e/x] must be either of the two forms: 

- C[e/x] A C'[e/x] with C C; 

— C = x and C[e/x] = e e'. 

Proof. Since C[e/x] -/>, it must be in the canonical form, then C must be one of the 
forms: x, C\ (g> e', e' ® C\, (Ci,C2), \y .C\, where e! is a closed term and C±,C2 are 
linear contexts with free variable x. 

It is clear that ifC = x, the transition must be of the second form. In all other forms, 
it can be easily checked that the transition will be of the first form, with the context C 
itself being transformed into another term with the free linear variable x, which forms 
another linear context. □ 



3.2 Linear context reductions 

Reductions of linear contexts filled with programs can be classified into several forms, 
called linear context reductions (LCR for short), which characterize the interaction be- 
tween linear contexts and programs. 



Definition 2 (Linear context reduction). LetC x - T be a linear context and e G Vrog{j) 
be a LPCF program. A reduction ofC[e/x] (if it is reducible) is called a linear context 
reduction if it is either of the following forms: 

- C[e/x}^C'[e/x], ifC^C; 

- C[e/x] ~> C[e' / x], ifC is an evaluation context, and e e! ; 

- C[e/x] C'[e' /y], if C is an evaluation context, e and C o — > C', e e' for 
some external action a. 

We often write C[e/x] c — > C'[e'/y] for the third form of linear context reduction, indi- 
cating explicitly that the transitions involved are labeled by a. 

Linear context reductions are closed under linear evaluation contexts: 

Lemma 5. Let C\,C 2 be two linear contexts such that 0; x : r h C\ : a and 0; y : a h 
C 2 : cr', and C 2 also an evaluation context. 

1. IfCi e, then C 2 [Ci/y] C 2 [e/y]. 

2. If Ci[e/x] ~> e' ;s a linear context reduction, then C2 [C\ [e/x] /y] C-i\e' ly\ is 
also a linear context reduction. 

Proof. Direct consequence of the definition of linear context transitions. □ 

The so-called linear context reduction lemma below says that, the reduction of a 
linear context filled with a program in LPCF must be a linear context reduction. This is 
the core lemma of proving precongruence of trace equivalence w.r.t. linear contexts. 

Lemma 6 (Linear context reduction lemma). For every linear context C x - T and LPCF 
program e G Vroy(r), if C[e/x] is reducible, then C[e/x] ~> must be a linear context 
reduction. 

Proof. We prove by induction on the structure of the linear context. 

- C cannot be any constant since it must contain a linear free variable. And it cannot 
be a normal product, a tensor product or an abstraction, as all these forms cannot 
be reduced any more, no matter what e is. 

- The simplest linear context x is an evaluation context. If e can be reduced, then it 
is the second case. 

- C = if C then e\ else where C is another linear context. If C'[e/x] can be 
reduced, by induction, it must be either of the following cases: 

• C'[e/x] ~* C"[e/x] and C ~> C", then we have that 

C[e/x] ^ if C"[e/x] then e\ else e 2 

with C ~> if C" then e± else e 2 . 

• C'[e/x] ~> C'[e'/x], e e', and C is an evaluation context, then C is also an 
evaluation context, hence C[e/x] ^ C[e'/x]. 

• C'[e/x] ^> C"[e'/x] and C C", e e' for some action a, then 

C o-^> if C" then e\ else e 2 



and C[e/x] can take a similar reduction. 



If C [e I x] cannot reduce, then it is a canonical boolean term, which is either true or 
false, and the only possibility of C is the simplest case x, with e being a boolean 
constant. In this case both C and e can take the transition true > or fa se > , and the 
reduction of C[e/x] falls into the third case. 

C = if e' then C\ else C2, where by typing, both C\ and C2 are linear contexts. If 
e' can be reduced (e' ~> e"), thenC[e/x-] will reduce to if e" then Cife/x] else C 2 [ 
which is still a linear context. If e' cannot be reduced, then it must be a boolean 
constant since it must be canonical, then C[e/x] will reduce to either Ci[e/x) or 
C<x\ejx\. Both reductions are the first form of LCR. 

C = proj^C), where C is a linear context. If C'[e/x] itself can be reduced, then 
by induction, it must be in one of the three forms of linear context reduction. In 
each case, it is easy to see that C[e/x] will take the same form of reduction. 
If C'[e/x] is not reducible, then it must be of the form (_, _). There are two cases 

• C = (€[,€'2), where both C[ and C' 2 are linear contexts, then C[e/x] ~> 
Ci [e/x], which is the first form of linear context reduction. 

• C = x and e = (ei, £2). Now both C and e can take the transition — — - L >-: 

C = proj t (x)o ProJ '> y, e = (ei,e 2 ) Pr ° 3 ' > e t andC[e/x] ^ e t = y[ei/y]. 

This is the third form of linear context reduction. 
C = let yi ® y2 = C in e'. If C is reducible, by induction, the reduction of 
C'[e/x) must be a linear context reduction, then the reduction of C[e/x] will be a 
linear context reduction of the same form. 
If C'[e/x] is not reducible, then there are two cases: 

• C' = C" ® e" or C = e" <S> C", where e" is a closed term and C" is a linear 
context. Consider the first case without losing generality. C[e/x] will reduce to 
e' [C" [e/x)/yi, e" / 2/2] ■ It is easy to check that e' [e" / j/2] is also a linear context, 
then so is e'[e"/j/2, C" /yi], so the reduction is a linear context reduction of the 
first form. 

• C = x and e = e\ ® e2- Now both C and e can take a ® e > transition: 

C = let yi <B) j/2 = x in e' o > z, e = e\ ® e2 816 > e'[ei/yi, 62/2/2], and 

C[e/x] e / [ei/yi,e 2 /?/ 2 ] = z[e'[e 1 /y 1 ,e 2 /y2}/ z}. 
C = let y <£) z = e' in C. It is clear that e' is a closed term and FLV(C) = 
{x, y, z}. If e' ~> e" reduces, then C[e/x] let jy £§> z = e" in C'[e/x]. Other- 
wise, e' must be e[ <£> e' 2 , then C[e/x] ~* C'[e/ar, e^/j/, e' 2 /z], with C reducing to 
C'[ei/y, e 2 /z], which is a linear context. 

C = C e'. Because C is a linear context, by induction, if C'[e/x] can be reduced, 
then it must be a linear context reduction. As C e' is an evaluation context, C[e/x] 
will take the same form of linear context reduction as C [e'/x] . 
If C'[e/x] cannot be reduced, then it must be an abstraction. There are two cases: 

• C ee Xy.C" and x £ FLV{C"), then C = (Xy.C')e' ~> C"[e'/y] and it is 
easy to check that C" [e'/y] is a linear context since e' is closed, hence C [e/x] = 
(Xy . C"[e/x])e' ~> C" [e'/y] [e/x], which is the first form of linear context 
reduction. 

• C = x and e ee Xy . e" is an abstraction, then C = xe' o — z (with 2 being 

a fresh linear variable, hence a linear context), e ee Xy . e" Ce > e"[e'/y], and 
C[e'/x] ee (Ay . e")e' - e"[e'/y] ee z[e"[e'/2/]/z]. 



- C = e'C. If e 1 ~> e", then C[e/x] ~> e"(C'[e/x\) with C ~> e"C. If e' cannot 
be reduced, then it must be canonical, which is either an abstraction or a constant. 
Because C contains a linear variable, according to the typing system, the type of e' 
can only be a linear function type. 



. Ife' = Xy.e",C[e/x] (Xy . e")(C'[e/x]) ~> e"[C'[e/x]/y] = e" [C'/y] [e/x] . 



Also C ~> e"[C /y]. Because y is a free linear variable in e", e" is indeed a lin- 
ear context, so is e"[C'/j/]. 
• If e' is a constant, because its type must be a linear function type, so it can only 
be one of {pred, succ, iszero}. In any case, e' C is an evaluation context. If 
C'[e/x] reduces, then by induction it must be a linear context reduction, hence 
e'C [e/x] can reduce and is a linear context reduction of the same form as of 
C'[e/x}. If C'[e/x] cannot reduce, it must be canonical, i.e., an integer n, then 
C = x and e = n. Now both C and e can take a — > transition and C[e/x] will 
reduce to another integer or a boolean constant, depending on which constant 
e' is. □ 

The linear context reduction lemma is not true if the context is not linear or the 
language does not have linear types at all, because duplicated use of programs in the 
context will adopt reductions that cannot be characterized by LCR, particularly when 
the program itself is reducible, i.e., C[e/x] ~» C[e' /x] is not true when e ~» e' and C 
makes multiple copies of e. The reduction strategy also interferes, as we have mentioned 
when defining the operational semantics: introducing improper evaluation contexts like 
(£, e) breaks the linear context lemma, for the same reason as using non-linear contexts. 

3.3 Soundness and completeness of trace equivalence 

We show that in LPCF, the trace preorder relation is precongruent with respect to linear 
contexts. It then enables us to show that trace equivalence actually coincides with linear 
contextual equivalence. 

The following theorem says that trace preorder in LPCF is a precongruence relation 
with respect to linear contexts. As LPCF is a deterministic language, the proof can be 
done by induction on (the length of) traces. 

Theorem 1 (Linear precongruence of C T ). Trace preorder C T is a precongruence 
with respect to linear contexts, i.e., e\ C T e 2 implies that C\e\jx\ C T Cfa/x] for all 
linear contexts C x . 

Proof. According to the definition of C T , it suffices to show that, for any action se- 
quence s, if C[ei/x] then C\eijx\ We prove by induction on the length of 
C[e\/x\ (note that the transition includes internal transitions, i.e., term reductions). 
The base case is trivial. 

We distinguish two cases. 

- C[e\/x] e By the linear context lemma, the reduction must be a linear 
context reduction, which is one of the following cases: 



• e = C'[ei/x] where C ~» C. It holds that C[e 2 /x] ~> C'[e 2 /x]. By induc- 
tion, C'[e2/x] —> since C'\ei/x] hence C\eijx\ ~> C'\e.ijx\ i.e., 
C[e 2 /x] A. 



• e = C[e[/x] where e\ ~> e[. We immediately have C T ei C T e2 and by 
induction, Cfa/x] —> because C[e^/a;] -^-h 

• e = C^[e^/y] where CcA and ej e[. Since ei C T e 2 and the tran- 
sitions are deterministic, we have e 2 e' 2 and e[ E T e 2 . It is clear that 
e 2 -^-> e 2 must be of the form e 2 ^* e 2 -^-> e 2 , where e 2 By the def- 
inition of linear context reduction, C must be an evaluation context, hence 
C[e 2 /x] C[e%/x] ~> Cy[e 2 /y], and by induction, C^ei/y] implies 
C' y [e' 2 /y] A. 

- C[e\/x\ —> e -^-h By Lemma 4, the first transition has two forms: 

• C —> C and e = C'[ei/a;]. By induction, C'[ei/a;] implies C'[e 2 /x] -^-h 
It follows that C[e 2 /x] -^>C'[e 2 /a;] -^-K 

• C = x and ei — » ej = e. Then ei C T e 2 implies that C[e 2 /x] = e 2 > s > , 

□ 

However, the above proof does not apply in non-deterministic languages as trace 
preorder does not conform to induction in general. We supply in this section a more 
general proof for proving linear precongruence of trace preorder, by exploiting the in- 
trinsic features of linear contexts. 

For every linear context C X:T and LPCF program e e Vrog(r), if C[e/x] — > and 
e — >■, we define t to be the context trace w.r.t. C and s (also written as (C, s)-trace), 
inductively on the full sequence of s, if: 

- t = e when s is empty; 

- t is the context trace of e' w.r.t. C and s when C[e/x] ~* C[e'/a;] with e ~> e'; 

- £ is the context trace of e w.r.t. C and s when C[e/x] ~> C'[e/:r] with C ~> C; 

- t = a-t' and t' is the context trace of e' w.r.t. C and s when C[e/x] c — > C'[e'/x]; 

- t is the context trace of e w.r.t. C and s' when C[e/x] C'[e/x] with C C 
and s = a ■ s'; 

- t = s when C = x. 

Lemma 7. For every linear context C x:T and LPCF 'program e £ Vrog(r\ ifC[e/x] —t, 
then e has a context trace w.r.t. C and s. 

Proof. The definition of context trace is solid by Lemma 6 and Lemma 4, hence it is 
always feasible to construct the (C, s)-trace from the full sequence of s — the definition 
indeed gives the construction. □ 

(s,t) 

We also write C[e/x] — : — > when t is a context trace of e w.r.t. C and s. 

Lemma 8. For every pair of LPCF traces (s, t) and LPCF programs e±, e 2 S Vrog(r), 
ifei -^ande 2 then for all linear context C X:T , C\e\Jx\ ^'^ > implies C[e 2 /x\ > . 

Proof. We prove by induction on the full length of C[e\/x\ counting internal tran- 
sitions. 

The base case is trivial. For non-empty traces, we analyze by cases: 



- C[ei/x] ^ C'[ei/x] with C ~> C. By induction C'[e 2 /x] hence 
C[e 2 /x]^C'[e 2 /x] -M*. 

- C[ei/x] C\e! x jx\ > with ei ~> e[ . Clearly e[ so by induction, C[e 2 /x] > , 

- C[e\/x] c — >C'[e[/y] — - > with t = a-t'. Since e2 -A, i.e., there exists e 2 and e 2 

such that e2 e' 2 ' e 2 -^->, by induction, we have C'[e 2 /y] — -K According 
to the definition of linear context reduction, C must be an evaluation context, hence 

C[e 2 /x) ^* C[4/x] -A e'[e' 2 /y) -^h, i.e., C[e 2 /x] -M*. 

- C[ei/x] C'[e\/x] — — with Co A C and s = a ■ s'. By induction, 
C'[e 2 /x] -^U, which follows that C[e 2 /x] -A C'[e 2 /x] -^k, i.e., C[e 2 /x] 

- C = x and s = t. Clearly C[e 2 /x] = e 2 i.e., C[e 2 /x] ^ s,t > . 

Lemma 6 and Lemma 4 ensure that the above analysis is comprehensive. □ 

Proof (Theorem 1 ). Consider arbitrary linear context C and trace s such that C[e\/x] 
By Lemma 7, e\ has a (C, s)-trace t, i.e., ei — >, which implies e 2 — > since ei C T e 2 . 
By Lemma 8, C[e 2 /x] ~%, hence C[ei/x] C T C[e 2 /x]. □ 

Theorem 2 (Soundness of trace equivalence). In LPCF, it holds that ~ T C ~ c . 

Proof. For every well typed linear context C x , if C[e\/x] JJ., i.e. C[ei/x] ^* « for 
some canonical term w, then C[e\/x] v -A for some external action a. By the 
precongruence property of (Z T , Theorem 1, we have C[ei/x] C T C[e 2 /x]. Therefore, 
there is some term e such that C[e 2 /x] ^* e In order to perform an external action, 
here e must be a canonical term and it follows that C[e 2 /x] JJ.. Similarly we can show 
that if C[e 2 /x] JJ-, thenC[ei/x] JJ-. □ 

Theorem 3 (Completeness). In LPCF, it holds that ~ G C ~ T . 

Proof. We first notice that in Definition 1 the relations (Z c and ~ c are defined by 
quantifying over all linear contexts. In fact, it suffices to quantify over the subset of 
linear contexts that are evaluation contexts (viewing C x as C[[ }/x]). In other words, for 
any two terms of the same type, 

(*) if they are distinguished by a linear context, with C[ei/x] JJ but C[e 2 /x] ft, 
then they are also distinguished by an evaluation context C with C ^* C. 

This is proved as follows. Suppose C[e\/x] JJ. but C[e 2 /x] ft. We observe that all reduc- 
tion sequence starting from C must terminate in order to ensure C[ex/x] JJ.. So we can 
proceed by induction on the length of the reduction sequence. 

- If C is already an evaluation context, then we are done by setting C to be C. 

- C cannot be a normal product, a tensor product or an abstraction, as all these forms 
cannot be reduced any more, and are not able to meet the requirement that e 2 ft. 



- For all other cases, if C C\ then C\ is also a linear context and by determinacy of 
reduction semantics, Proposition 3, we have C[ei/x] ~> Ci[ei/x] JJ. and C[e 2 /x] ~> 
C\ [e 2 /x] ft". By induction applied to C\ , there exists some evaluation context C such 
that Ci C, C'[ei/x] JJ and C'[e 2 /x] fp. Hence C ^* C and we can find the 
required C. 

We now show that, for any terms e\, e 2 of the same type with e\ ~ c e 2 and any 
action sequence s, if e\ — > then e 2 — >, which establishes e\ C T e 2 . Similarly we can 
prove e 2 E T ei but we shall omit the details. 

We proceed by induction on the length of the transition ei — >. The base case is 
trivial. For the inductive step, we distinguish two cases. 

- e\ e'i —t. Clealy, we can prove, by induction on the structure of context, that 
e\ \— C ei, then e[ C c e 2 . By induction, we obtain that e 2 —t. 

- e-y — > e[ — h There are a few subcases, depending on the form of a. 

• a = n. Both e\ and e 2 have type Nat, and e-y (2, so e\ JJ- and ei = 
n. Because e\ ~ c e 2 , e 2 JJ- too (otherwise the simple linear context x can 
distinguish them). We claim that for every possible reduction sequence e 2 ^* 
e' 2 -/», e 2 = n. First, because e 2 has type Nat, by Proposition 1, e 2 has to be an 
integer constant. Assume that e 2 m and m ^ n. Then the context 

C x = if x = n then else Q 

will distinguish e-y from e2, which contradicts e± ~ c e2. 
Similar is the case where a is a boolean constant. 

• a = @e. In this case ei and e 2 must have a function type, and clearly e\ is 
in the canonical form: e\ = Ax.e" and e[ = e"[e/x]. Because ei ~ c e 2 , the 
reduction of e 2 necessarily terminates and e 2 will be reduced to some canonical 

form Ax.e 2 , then e 2 e' 2 ' [e/x]. We claim that e"[e/x] \— C e' 2 '[e/x]. 
Suppose for a contradiction that e" [e/x] % e 2 [e/x]. There exists some linear 
context C such that C [e'{ [e/x] /y] JJ- but C [e' 2 ' [e/x] / y] fp. By property (*) above, 
we can assume that C is an evaluation context. Then we can construct another 
context C := C[ye/y}. Clearly C'[ey/y] JJ. because 

C'[ei/y] = C[eie/y] = C[(\x.e")e/y] C[e"[e/x)/y] JJ- . 

However, C [e 2 /y] ff because 

C'[e 2 /y] = C[e 2 e/y] ^* C[(Ax.e' 2 ')e/y] ^ C[4[e/x]/y] fr . 

This is a contradiction to e\ C c e 2 . Therefore the assumption is wrong and we 
have e" [e/x] C c e 2 [e/x]. By induction, we have e 2 [e/x] -^4 and it follows 
that e 2 e' 2 ' [e/x] 

• a = projj^. In this case ei, e 2 must have a normal product type, then ei is 
in a canonical form (en, ey 2 ) and e[ = en. The term e 2 can be reduced to a 

canonical term (e 2 i, e 22 ), and then e 2 pr ° 31 > e 2 y. We claim that en \— C e 2 i. 



Suppose for a contradiction that en %. c e 2 \. There exists some linear con- 
text C such that C[en/y] JJ. but C[e2i/y] ft- By property (*), C can be as- 
sumed to be an evaluation context. Then we can construct another context 
C := C [pro 2i(y)/y]- Clearly C'[e\/y\ JJ. because 

C'la/y] = Cfproj^ei)/^] = C[proj 1 ((eu, e 2 i))/y] ^ C[e n /y] JJ ■ 

However, C [e 2 /y] ft because 

C'[e 2 /y] = C[proj 1 (e 2 )/y] ~»* C[proj 1 ((e 2 i, e 22 ))/?/] ~» C[e 21 /y] ft . 

This is a contradiction to e\ C c e 2 . Therefore the assumption is wrong and 
we have en \— C e 2 \. By induction, we have e 2 \ — > and it follows that e 2 — > 
e 2 i — ■>■ 

The case for a = proj 2 is similar. 
• a = ®e. In this case ei,e 2 must have a tensor product type, then e\ is in 
a canonical form en % e\ 2 and e[ = e[en/x,ei 2 /y]. The term e 2 can be 
reduced to a canonical term e 2 i <g> e 22 , and then e 2 e[e 2 i/x, e 22 /y]. We 
claim that e[e n /x,e 12 /y] C c e[e 21 /x,e 22 /y]. 

Suppose for a contradiction that e[en/i, &\ 2 jy\ % c e[e 2 i/x, e 22 /y}. There 
exists some linear context C such that C[e[/z} JJ. but C[(e[e 2 i/a;, e 22 /y])/z] ft. 
By property (*) above, we can assume that C is an evaluation context. Then 
we can construct another context C := C[(let x ®y = z in e)/z}. Clearly 
C'[ei/z] JJ. because 

C'[ei/z] = C[(let x <g> y = e x in e)/z] 

= C[(let x ® y — en ® e i2 in e)/z] 
~* C[(e[eii/x,ei 2 /y])/z] JJ . 

However, C [e 2 /z] ft because 

C'[e 2 /,z] = C[(let x ®y = e 2 in e)/z] 

^* C[(let a; ® y = e 2i ® e 22 in e)/z] 
^ C[(e[e 21 /x,e 22 /y])/z] ft . 

This is a contradiction to ei C c e 2 . Therefore the assumption is wrong and we 
have e[en/a;, &\ 2 jy\ C c e[e 2 i/x, e 22 /y}. By induction, we have the transition 
e[e 2 i/x, e 22 /y] A. It follows that e 2 e[e 2 i/x, e 22 /y] A. □ 



4 The non-deterministic linear PCF 

In this section we shall extend our language with non-determinism, where emerges the 
example in Section 1 . We show that our approach can still be applied to characterize 
linear contextual equivalence in the non-deterministic setting. 

The extension of non-determinism is made in Moggi's computational framework [19], 
which provides a call-by-value wrapping of imperative features in pure functional lan- 
guages, using monadic types. We use Moggi's framework also because our original 



semantics of LPCF is a call-by-name evaluation strategy, while we need the call-by- 
value evaluation of non-deterministic choice for illustrating interesting effects. Were 
the original semantics call-by-value, we would not have to use Moggi's framework. 

The types of the non-deterministic LPCF (NLPCF for short) are extended by a unary 
type constructor T — Tr is the type for non-deterministic computations that return, 
if terminate, values of type r. The language then has extra constructs related to non- 
determinism: 

e,e', ...::=... 

| val(e) Trivial computation 

bind x = e in e' Sequential composition 
| e l~l e' Non-deterministic choice 

val(e) is the trivial computation that returns directly e as a value; bind x = e in e' 
binds the value of the (non-deterministic) computation e to the variable x and evaluates 
e'; e l~l e' chooses non-deterministically a computation from e and e' and executes it. 
Type assertions for the extra constructs are defined by the following rules: 

r;Ahe:r r;0hei:Tn r, x : n; A h e 2 : Tr 2 

r; A \~ val(e) : Tt i" 1 ; A h bind x = e\ in e 2 : Tr 2 

r-,A\-ei:Tn r; A',x : n h e 2 : Tr 2 P; Z\ h e, : Tt (i = 1, 2) 

T; Z\, A' h bind x = ei ine 2 : Tr 2 zi h ei n e 2 : Tr 

The typing for sequential computation must respect the linearity restriction. Also, linear 
variables appear in both branches of the non-deterministic choice, since eventually only 
one branch will be executed. 

We write T'rog NL (T) for the set of programs (closed terms) of type r in NLPCF. 

4.1 Operational semantics 

The operational semantics of NLPCF is extended with the following basic reduction 
rules 

bind x = val(e') in e ~> (Xx . e)e', where e' t^>, 
ei n e 2 ej (i = 1, 2), 

together with the extension for evaluation contexts: 

£ ::= ... | bind x = £ in e | val(£ ). 

According to linearity, we do not allow evaluation contexts £ n e and e n £. 

The n operator behaves like the internal choice in CSP [11]. We can also add the 
external choice operator □, together with rules 

ei □ e 2 ~> e'j □ e 2 , where ei ~> e^, 
ei □ e 2 ~* ei □ e' 2 , where e 2 ~> e 2 . 

In accord with linearity, the typing rule for □ will be different from that of n : 

r-A^d-.TT J r;Z\ 2 he 2 :Tr 

r-,Ai,A 2 heiDe 2 : Tr 



Our later development only considers the internal choice operator, but it can be easily 
adapted to languages with the external choice, with careful treatment of the reduction 
which can discard linear variables. 

Canonical terms of NLPCF, besides the canonical terms of LPCF, now include terms 
of the form val(i>) where v The propositions about canonical form and subject 
reduction still hold. 

Proposition 4.1fe is a NLPCF program and e then e must be in canonical form. 

Proposition 5. In NLPCF, ifT; Ahe:r and e ~» e', then A h e' : r. 

The reduction system for NLPCF is non-deterministic and a term does not neces- 
sarily reduce to a unique value even if it converges — there is no confluence property 
in NLPCF. For any closed term e, we say 

- e may converge (written as e JJ.) if there exists a value v such that e ^* v 

- e must converge (written as e JJ.) if there is no infinite reduction starting from e, 
i.e., a reduction of e always terminates; 

- e may diverge (written as e -ft - ) if e has an infinite reduction sequence e ~> e\ ~> 

ea ~» • • • ; 

- e must diverge (written as e ft) if there is no value v such that e ~^>* v i.e., e 
never reduces to a value. 

4.2 Labeled transition system 

The labeled transition system for NLPCF is extended by the following rule: 



The rule represents how programs of monadic types interact with contexts. 

Similar as in LPCF, we can define trace, trace preorder (written as Q NT ) and trace 
equivalence (written as ~ NT ) for NLPCF. 

Example 1. Consider the two programs fi and /2 in Section 1. Both of them have, 
among many others, the trace (T, @e, T, 1) because of the following inference 

/i = val(Ax.val(0) n val(l)) f 2 = val(A.T.val(0)) n val(A.T.val(l)) 
A Ax.val(O) n val(l) ^ val(Ax.val(l)) 



r-A h val(e) : Tr e-/> 




T 




T 



Ax.val(l) 

val(l)[e/x] 
val(l) 



= val(O) n val(l) 
~» val(l) 




The definition of linear context is as in LPCF, so correspondingly we have the fol- 
lowing linear context transitions: 

C[bind z — x in e/y] o— » C[(Xz.e)x' /y] 
where x' is a fresh variable. The linear context transition lemma still holds: 

Lemma 9 (Linear context transition lemma in NLPCF). For every linear context 
C X:T and NLPCF program e G Vrog NL {r) such that C[e / x] ~p>, a transition from C[e/x] 
must be either of the two forms: 

- C[e/x) C'[e/x] with C C; 

- C = x and C[e/x] = e e'. 

Proof. Similar as in Lemma 4. □ 
4.3 Linear contextual equivalence in NLPCF 

The Morris-style contextual equivalence depends on the notion of convergence, but in 
NLPCF, we need to choose between the may and must notions of convergence. 

The notions of convergence/divergence in NLPCF accordingly leads to the follow- 
ing notions of equivalence relations of programs. Let e-y, e 2 <E Vrog NL (T) for arbitrary 
type r, 

- e\ ~^ e 2 : ei JJ. if and only if e 2 JJ-; 

- ei ~^ e 2 : e\ JJ. if and only if e 2 Ji; 

- e\ ~^ e 2 : e\ \ if and only if e 2 "ft; 

- ei ~^ e 2 : e\ X\ if and only if e 2 ft- 

It can be easily checked that = and ~* = 

Must convergence equivalence ~^ does not conform to trace equivalence in a non- 
deterministic language. If the reduction is deterministic or confluent, we can conclude 
that a term converges as long as it has non-empty traces, however it is not true for must 
convergence in a non-deterministic language — by observing the traces of a term we 
can no longer tell whether a term has a non-terminating reduction sequence, since every 
term can take the empty trace, which by itself can represent divergence. In the contrary, 
if a term has only the empty trace, then we can conclude that the term must diverge. 

The linear contextual equivalence in NLPCF is defined based on the notion of may 
convergence. 

Definition 3 (Non-deterministic linear contextual equivalence). We write e\ 
e 2 for ei,e 2 £ Vrog NL (r) if C\e\jx\ JJ- implies C\eijx\ JJ. for all linear context 
C X:T . The relation C 7VC is called non-deterministic linear contextual preorder. Non- 
deterministic linear contextual equivalence ~ NC is defined as the symmetrization of 
\ = NC , that is, ei e 2 iff 'ei cf c e 2 and e 2 e x . 

The definition of linear context reductions remains the same as in LPCF, except 
that we are considering the extended transition system for NLPCF. The linear context 
reduction lemma still holds, from which the precongruence of trace preorder follows, 
which in turn enables us to prove the soundness of trace preorder with respect to linear 
contextual equivalence in NLPCF. 



Lemma 10 (Linear context reduction lemma in NLPCF). For every linear context 
C X:T and NLPCF program e G Vrog N L (r), ifC[e/x] is reducible, then C[e/x] must 
be a linear context reduction. 

Proof. The proof goes as in Lemma 6, by induction on the structure of linear context 
C. We show only the cases for new constructs. 

- C = bind y = C in e'. This is an evaluation context, so if C'[e/x] reduces, it must 
be a linear context reduction, then C[e/x] is a linear context reduction of the 
same form as of C'[e/x] If C'[e/x] does not reduce, which must be canonical of 
the form val(- ■ ■ ), there are two cases: 

• C = val(C") and C"[e/x] ?4. Then 

C[e/x] = bind y = val(C"[e/x]) in e' 
~> (Xy.e')C"[e/x\ 

= ((\y.e')C")[e/x\ (because x does not appear freely in Xy.e') 

with 

C = bind y = val(C") in e ~> (Ay.e')C", 

which is a linear context. The reduction is the first form of LCR. 

• C = x and e = val(e") (e" In this case, 

C[e/x] = bind y = val(e") in e' (Xy.e')e" . 

It is clear that C = bind y = x in e' o-^-> (Xy.e')x' and e = val(e") e", 
so the reduction is the third form of LCR. 

- C = bind y = e' in C. If e' ~* e", then C[e'/x] bind y = e" in C'[e/x] with 
C ~> bind y = e" in C If e' does not reduce, it must be of the form val(e"), then 
C[e'/x] ^ C'[e/x][e"/y] = C'[e" /y][e/x], with C ~> C'[e"/y], which is a linear 
context since e" is closed. In both cases, the reduction is the first form of LCR. 

- C = C\ n C2. Clearly, both C\ and C2 are linear contexts, then 

C [e/x] = d [e/x] n C 2 [e/x] C« [e/x] , (i = 1,2), 

with C ~> Cj. The reduction is the first form of LCR. 

- C = val(C'). Clearly C is a linear context and C'[e/x] ~> is a LCR, so C[e/x] 

is also a LCR of the same form as C'[e/x] □ 

Theorem 4 (Linear precongruence of C ArT ). Trace preorder \_ NT is a precongru- 
ence with respect to linear contexts, i.e., e\ \Z NT e 2 implies that C[e\/x] \_ NT C[ei/x] 
for all linear contexts C x in NLPCF. 

Theorem 5 (Soundness of ~ NT ). In NLPCF, it holds that ~ NT C ~ wc . 

Proof. Assume that ei , e 2 G Vrog NL (r) are two programs of NLPCF such that ei 
e 2 . By precongruence, for every linear context C^,-, C[e\/x] ~ NT C[e 2 /x].IfC[ei/x] JJ-> 
i.e., 7>(C[ei/x]) has non-empty traces, then Tr(C[e 2 /x]) has non-empty traces too, 
hence C[e 2 /x] JJ- Similarly, if C[e 2 /x] 4, then C[ei/x] JJ-. □ 

The above theorem allows us to prove the equivalence of the two functions in Exam- 
ple 1: it is easy to check that both functions have traces (T, @e, T, 0) and (T, @e, T, 1) 
(where e is an arbitrary closed NLPCF term of proper type) as well as their subtraces, 
and they have no other traces. 



4.4 Completeness of trace equivalence in NLPCF 



The rest of the section is devoted to proving the completeness of trace equivalence with 
respect to linear contextual equivalence in NLPCF. Unlike the proof of Theorem 3, 
an induction over the length of traces does not work in a non-deterministic language, 
therefore we propose a novel proof for completeness. 

We begin with constructing trace-specific linear contexts which "recognize" the 
corresponding traces. Given a trace s, we define the s-context C%. T by induction on s: 

Cl:r = f val(z) 
C°. Nat = if x = n then val(O) else !?TNat 

C *-Bool ^ if X then Val (°) else ^TNat 

C * a Booi = f if x then ^TNat else val(O) 
C®. e T ^ T , d = bind y = val(xe) in C*. T ,, where 0; h e : r 
C l r .° : Xr 2 = bindy = val(proj;(a:)) inC* :Ti 
C® e Tl %r 2 = f bind 2/ = val(let z x ® z 2 = x in e) in C s y . T ,, 
where 0; Z\ : t\ , z 2 : t 2 V e : t' 

Cj:f T d = bind y = x in C s y . T 

It can be easily checked that 0; x : r h C|. T : Tr' for some type r', if a: is a linear 
variable, and we call it a linear s-context. In particular, if s is a computational trace 
then t' is Nat. We shall often omit the type information when it is obvious or irrelevant. 

In the definition we do not consider traces c • s with boolean/integer constant c 
followed by non-empty trace s, because a valid trace must be taken by a program, while 
a program that takes the c-transition must be c itself, which no longer takes any external 
action after the transition (c —> fl). 

The following two lemmas show that a program can take a computational trace s 
if and only if the corresponding linear s-context, when filled in with the program, may 
converge. 

Lemma 11. For every NLPCF program e and every computational trace s, if e 
then C s x [e/x] JJ-, for linear s-context C®. 

Proof. Let e € Vrog NL (r) be an arbitrary NLPCF program. We prove by induction on 
the length of s. 

- s = c, where c is a boolean or integer constant. We show the case of integer con- 
stant; the proof for the boolean constant is similar. If e has the trace c ■ s', i.e., 
e ^* c and s' = e, it follows that 

C S j,[e/x\ = if e = c then val(O) else Q 
if c = c then val(O) else Q 
^* val(O) Jj. . 

- s = @e' • s'. If e has the trace @e' ■ s', i.e., 



* \ ® e r / / i * 

Az.ei >ei[e/z\^ e 



with e' a closed term of proper type and e" *p>, then it follows that 

C s x [e/x\ = bind y = val(e e') in C( 

bind y = val((Az.ei)e') in 
bind y = val(ei[e'/z]) in Cy 
bind y = val(e") in C»' 

^C5'[e"/y] 



Since s' is a shorter trace than s, by induction, we know from e" —> that Cy [e" / y] 
therefore C*[e/x] JJ.. 
- s = pro j 1 ■ s'. If e has the trace pro j 1 • s', i.e., 

* / \ P r0 Jl . * / s' 

e-^ (ei,e 2 ) > e\ ^> e x — 

with e' : 76-, then it follows that 

C s x [e/x] = bindy = val(proj 1 (e)) inC* 



* bind y = val(proj 1 ((ei, e 2 ))) inC*' 
bind y = val(ex) in C* 
bind y = val(e 1 ) in Cy 



— » 



C s y '[e[/y] 

Since s' is a shorter trace than s, by induction, we know from e[ — > that Cy \e\ j y] JJ-, 

therefore C*[e/x] JJ.. 

The case s = proj 2 • s' is similar. 

s = ®e' ■ s'. If e has the trace ®e' ■ s', i.e., 

ei®e 2 ► e [ei/zi, e 2 /z 2 J ~> e — (1) 

with 0; zi : Ti, z% : t% \- e' : t' (t = ti <8 r 2 ) and e" then it follows that 

C s x \ejx\ = bind y = val(let zi ® z 2 = e in e') in 

^* bind y = val(let zi ® z 2 = e\ ® e 2 in e') in 
~» bind y — val(e'[ei/zi, e 2 /z 2 ]) in Cy 
bind y = val(e") in C*' 



Since s' is a shorter trace than s, by induction, we know from e" —> that Cy [e"/y] JJ-, 
therefore C*[e/x] JJ-. 
- s = T ■ s'. If e has the trace T • s', i.e., 



e — 



e -^>* val(e') — 

with e! -/>, then it follows that 

C*[e/x] = bind y = e in 

bind y = val(e') in C y 



Since s' is a shorter trace than s, by induction, we know from e! that Cy [e' / y] ]}., 
therefore C*[e/x] JJ-. □ 

Lemma 12. For any e S Vrog NL {r) and trace s, ifC*[e/x] -Ij- f/ien e 

Proof. We prove by induction over the length of s, with an NLPCF program e. 

- s — e. It is clear that e 6 Trie). 

- s = c, where c is a boolean or integer constant. Assume that c is an integer (the 
case of booleans is similar). Since C%.[e/x] = if e = c then val(O) else JJ., it 
must hold that e may converge and e ^* c, hence e ^* c —h 

- s = @e' • s', with e' a closed term of proper type. Since 

Cf e '- s '[e/x] = bindy = val(e e') inCf JJ-, 

there must be a reduction sequence 

Cf e '- s '[e/x] ^* bindy = val((Az.ei)e') inC*' (where e Az.ei ) 
~> bind y = val(ei [e'/ z]) in Cy 

^* bind y = val(e") in C*' (where e^e'/z] e" and e" 76-) 

and [e" /y] JJ-, which implies that e" — > by induction. Clearly, e may converge 

and e Xz.ei > ei[e'/z] ^* e" i.e., e -^-k 

- s = projj • s'. Since 

Cr h ' S '[e/x] = bindy = val(proj 1 (e)) inC'' 4, 
there must be a reduction sequence 

Cr° 3l ' S [e/x] ~>* bindy = val(proj 1 ((ei,e 2 ))) inC*' (where e (ei,e 2 ) ) 
bind y = val(ei) in Cy 
~>* bind y = val(e' 1 ) in Cy (where e\ ^* e[ and e[ yU) 

and Cy [e'i/y] JJ-, which implies that e[ -^-> by induction. Clearly, e may converge 

j * / \ P r °ji * / *' * 

and e (ei, e 2 ) > e\ ~* e\ — >, i.e., e — >. 

The case s = proj 2 • s' is similar. 

- s = <8e' • s'. Since 

C® e '' s ' [e/x] = bind y = val(let z : <g> z 2 = e in e') in C*' JJ-, 
there must be a reduction sequence 

Cf e '' s ' [e/x] ^* bind y = val(let Z\ ® z 2 = e\ ® e 2 in e') in 

(where e -^>* ei g) e 2 ) 
~> bindy = val(e'[ei/zi, e 2 /z 2 ]) in C s y 
~~** bind y = val(e") in Cy 

(where e'[ei/zi, e 2 /z 2 ] ^* e" and e" yU) 

-*<[e"/y] 



and Cy [e"/y] JJ-, which implies that e" by induction. Clearly, e may converge 

and e ei <g) e 2 ® e > e'[ei/zi, e 2 /z2] e" i.e., e -^-h 



s = T ■ s'. Since 



Cj' s [e/x] = bind y = e in JJ., 
there must be a reduction sequence 

Cj s [e/a;] ~v* bind y = val(e') in Cy (where e ^* val(e') and e' -/>) 



q [e'/y] 

and Cy [e'/y] -JJ-, which implies that e 1 by induction. Clearly, e may converge 
and e -^>* val(e') — > e' i.e., e □ 

The next two lemmas act as the counterparts of the previous two, but our focus now 
is on traces that are not computational. 

Lemma 13. If an NLPCF program e has the trace s ■ a with e e' and e' r / Jf , 
then C s x [e/x] val(e'). 

Proof. We first note that s is not a computational trace. Otherwise the program e' de- 
rived from a computational trace would be Q, which cannot make an external action a, 
a contradiction to the hypothesis that e' — >. 

Let e <G Vrog NL (r ) be an arbitrary NLPCF program. Similar to the proof of Lemma 1 1 , 
we prove by induction on the length of s. 

- s = e. Clearly, it always holds that e e and C%[e/x\ = val(e) ^* val(e). 

- s = @ei • s'. If e has the trace @ei • s', i.e., 

e~~> \z.e2 > e2[ei/z\ ~> e — > e , 

with ei a closed term of proper type and e" then it follows that 

CJ[e/x] = bind y = val(e ei) in 

bindy = val((Az.e2)ei) inC^ 
~» bindjy = val(e2[ei/z]) inC^ 
bindy = val(e") inC*' 

■^*C°'[e"/y] 



Since s' is a shorter trace than s, by induction, we know from e" -^-> e' -^-> that 
[e"/y] ^* val(e'), therefore C*[e/x] val(e') by transitivity of the relation 

- s = pro j j • s'. If e has the trace pro j l ■ s', i.e., 

* ; \ P ro Jl , * 1 s' , 

e^> (ei,e 2 ) >• ei ~> e x — >e, 



with e[ then it follows that 

C x [e/x] = bind y = val(proj 1 (e)) in Cy 

^* bindy = val(proj 1 ((ei,e 2 ))) in C*' 
~> bind y = val(ei) in 
bind y = val(e' 1 ) in 

Since s' is a shorter trace than s, by induction, we know from e[ — > e' — > that 
Cy [e[/y] ^* val(e'), therefore C*[e/x] val(e') by transitivity of ~»*. 
The case s = proj 2 • s' is similar. 

- s = ®e" ■ s'. If e has the trace <g>e" • s', i.e., 

e~> ei ® e 2 >e [ei/^i, e 2 /2 2 J ~» e — ► e , (2) 

with 0; z\ : T\ , Z<i : r 2 I - e" : r' (t = Ti ® r 2 ) and e'" then it follows that 

C*[e/x] = bind y = val(let 2i ® z 2 = e in e") in 

-^>* bind y = val(let z\ ® z 2 = ei ® e 2 in e") in Cy 
~» bind y = val(e"[ei/zi, e 2 /z 2 ]) in 
-^>* bind y = val(e"') in C*' 

^'[ e '"/y] 

Since s' is a shorter trace than s, by induction, we know from e'" e' that 
CyV'Vy] val(e'), therefore C|[e/x] val(e'). 

- s = T ■ s'. If e has the trace T • s', i.e., 

e->* val(e")^e"Ae', 

with e' then it follows that 

C!j.[e/x] = bind y = e in 

^* bind y = val(e") in C|' 

^'[e"/y] 

Since s' is a shorter trace than s, by induction, we know from e" —t e' that 
Cy W/v] ^* val(e'). therefore C*[e/a:] ^* val(e'). □ 

Lemma 14. For every NLPCF program e £ Vrog NL (r) ant/ frace s f/iaf w «of compu- 
tational, if C s x \ej x\ JJ- f/ien f/zere is some program e' such that e e' one/ e' J|. 

Proof. Similar to the proof of Lemma 12. We prove by induction over the length of s, 
with an NLPCF program e. 

- s = e. Then C x [e/x] = val(e) JJ-. It means that e JJ-. Clearly we also have e e. 



- s = @e" • s', with e" a closed term of proper type. Since 



Cf e s [e/x] = bindy = val(e e") inC* J|, 
there must be a reduction sequence 

Cf e " s ' [e/x] bind y = val((Az.ei)e") in C( (where e Az.ei ) 
bindy = val(ei[e"/z]) in C( 

* bind y = val(e"') in C( (where ei[e"/z] ~»* e'" and e'" 

C£[ef"/y] 

and [e'"/y] J|, which implies that e'" e' and e' Jj- by induction. Therefore, 

e ~v Az.ei > ei[e /zj ~» e — !• e , i.e., e — ^ e . 

s = projj^ • s'. Since 

Cr h ' S '[e/x] = bindy = val(proj 1 (e)) in C s y ' 4>, 
there must be a reduction sequence 

Cr° jl ' S [e/x]^** bindy = val(proj 1 ((ei, e 2 })) in C*' (where e ~>* (ei,e 2 )) 
bind y = val(ei) in 
bind y = val(e' 1 ) in C a y (where e\ ^* e[ and e[ 

and [e'j/y] JJ-, which implies that —> e! and e' JJ- by induction. Therefore, 

* / \ P r °ji * / s ' / • s 1 

e ~> (ei, e 2 ) >• ei ^> ej — ^ e , i.e., e — >■ e . 

The case ,s = proj 2 • s' is similar. 

s = ®e" ■ s' . Since 

Cf e "' s '[e/x] ee bindy = val(let zi ® z 2 = e in e") inC*' 4, 

there must be a reduction sequence 

Cf e "' s ' [e/x] bind y = val(let z 1 ®z 2 = e 1 ® e 2 in e") in C*' 

(where e ei e 2 ) 
~> bindy = val(e"[ei/zi, e 2 /z 2 ]) inC^ 
~f* bindy = val(e"') in C*' 

(where e"[ei/zi, e 2 /z 2 ] e'" and e'" 

and Cy [e"'/y] JJ., which implies that e'" e' and e' JJ. by induction. Therefore, 

e ^* ei ® e 2 0e > e"[ei/zi, e 2 /z 2 ] e'" -^-)- e', i.e., e e'. 



- s = T • s'. Since 

Cj' s [e/x] = bind y = e in Cy J|, 
there must be a reduction sequence 

Cl' s ' [e/x] ^* bind y = val(e") in C( (where e val(e") and e" 7^) 

and C s y [e"/y] J]-, which implies that e" — — » e' and e' JJ. by induction. Therefore, 
e val(e") -A e" A e', i.e., e A e'. □ 

Theorem 6 (Completeness of ~ WT ). /n NLPCF, it holds that ~ NC C ~ JVT . 

Proof. Assume that ei, e 2 are two programs and e\ ~ NC e 2 . Suppose e\ for some 
trace s. We distinguish two cases. 

- s is a computational trace. By Lemma 11, we have C x [e\/x\ JJ-. Since ei c^* 7 e 2 , 
it must be the case that C|[e 2 /:r] JJ.. By Lemma 12, it follows that e 2 —t. 

- s is not a computational trace. If s = e, we obviously have e 2 Now suppose 

that s — s' ■ a, that is e\ e\ for some e\ 7^. By Lemma 13 we have 
C x ' \&\jx\ ~>* val(e'), which means that C s x [e-x/x] JJ-. Since e\ ~ NC e 2 , it must 

be the case that C s x [e^/x] JJ-. By Lemma 14, there is some e' 2 such that e 2 e' 2 
and e' 2 JJ-. By Lemma 2, which also holds for NLPCF, we see that e' 2 has the same 
type as e' v Since s is not a computational trace, a must be in one of the forms @e, 
proj ? , (g>e or T. Depending on the type of e x , in each case there exists some e' 2 ' 

such that e'2 7^ and e 2 ~->* e 2 -^-h It follows that e 2 e 2 e 2 that is 
e 2 — ■». 

Symmetrically, any trace of e 2 is also a trace of ei. Therefore, we obtain e\ ~ NT e 2 . 



5 Conclusion 

We have presented a novel approach for characterizing program equivalence in linear 
contexts, via trace equivalence in appropriate labeled transition systems. The technique 
is both sound and complete, and as we have shown in the paper, is general enough to be 
adapted for languages with linear type systems. 

Linear contextual equivalence is indeed a restricted notion of program equivalence 
and one may question its use in practice. As we have explained in the beginning of the 
paper, it does have application in security since we can use linearity to limit adversaries' 
behaviour. We also believe that such a notion of program equivalence can be useful in 
reasoning about programs in systems where only restricted access to resources is al- 
lowed, particularly when side effects are present. The result in non-deterministic lan- 
guages already enables us to prove linear contextual equivalence between non-trivial 
programs. 



We have used both program transitions and context transitions to model the interac- 
tions between programs and contexts, and the program/context traces (if combined in a 
proper way) resembles strategies in game semantics [2, 15], despite of our operational 
treatment of traces. However, it is unclear whether the correspondence can be made 
between program/context actions in the trace model and player/oppenent moves in the 
game model — the exact connection remains to clarify. 
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